CN102077542B - Secure digital communications - Google Patents

Abstract

There is disclosed a method in a communications system for enabling authentication of a sender device and a receiver device in the communication system, wherein the sender device is associated with a self-generated first identity and a first master device, the receiver device is associated with a self-generated second identity and a second master device and wherein the authentication is enabled by utilizing the first master device and the second master device for the sender device and the receiver device to verify the identities of each other. In one embodiment, both the sender device and the receiver device are also associatd with a third device ant the third device is used in addition to the master devices for verifying said identities. There is also disclosed a method in a sender device, a method in a receiver device, a method in a third device, a sender device, a receiver device, a third device, and a computer program product for the same.

Description

Secure Digital Communication

technical field

The present invention relates to digital communication systems, and more particularly to methods and apparatus for implementing authentication in such digital communication systems.

Background technique

The internet has revolutionized the way of doing business and has changed consumer behavior in a very short span of time. However, electronic commerce can realize its full potential only when a certain number of important conditions are met. One of these conditions will be the potential security of data transmitted on the Internet, intranets and extranets.

Accordingly, there is an increasing need to create secure encapsulated transfers of information between sender and receiver devices in digital communication systems and networks. In areas such as digital business communications, digital currency transactions, digital product transfers, etc., it is important that information encapsulation does not fall into the wrong hands, for example into unauthorized hands or tampered with by participating parties or unauthorized third parties. It is also important that the sender and receiver can trust each other.

Contents of the invention

In view of the above and other deficiencies of the related art, it is desirable to achieve an improved method for digital communication, in particular, an improved method for digital communication with improved security, authentication and/or traceability. Furthermore, advantageously, a communication system is achieved that includes at least some of these advantages and/or improvements. Furthermore, advantageously, a sender device and/or a receiver device is implemented enabling improved digital communication with improved security and/or authentication and/or traceability.

In order to better deal with one or more of these problems, in a first aspect of the present invention, a method in a communication system is provided. There is thus provided a method in a communication system for authenticating a sender device and a receiver device in the communication system, wherein the method includes: creating an identity of the sender device by the sender device; said recipient device creating an identity of said recipient device; sending by said sender device to said recipient device a request related to establishing a relationship between said sender device and said recipient device; by said sender device The receiver device sends at least the identifier of the second master device to the sender device; the sender device sends the identifier of the second master device to the first master device; a second master device sends a request related to a communication condition required by the sender device in order to establish communication with the receiver device; the communication condition is sent from the second master device to the first master device; at When the sender device meets the communication condition, the sender device provides the first access key to the first master device; and the receiver device provides the second access key to the second master device. Two access keys.

The disclosed method may provide improved digital communication between a sender device and a recipient device, since the communication between the sender device and the recipient device may involve at least one additional communication device, and wherein the at least one An additional communication device communicates identification information associated with the sender device and the recipient device. By means of said at least one additional communication device possibly involved at some stage of the communication between said sender device and said receiver device, digital communication may be improved with regard to improved traceability. For the same reason, digital communication can be improved with improved security. For the same reason, digital communication can be improved with improved authentication. For the same reason, digital communication can be improved with improved access.

The request to the recipient device related to establishing a relationship between the sender device and the recipient device may include at least an identification of a first group of devices, and wherein the method further comprises: by the recipient device receiving the request; sending, by the recipient device to the sender device, at least an identification of a second group of devices; receiving, by the sender device, an identification of the second group; being simultaneously present as the first group of devices and in the case of at least one third device of one of the devices in the second device group, sending by the sender device a request related to requesting a reference from the at least one third device with respect to the recipient device; receiving a reference request by the recipient device and sending the request to the at least one third device by the recipient device; receiving the reference by the recipient device and sending the request to the at least one third device by the recipient device sending the reference by the sender device; receiving the reference by the sender device; in response thereto: creating, by the sender device, a first public encryption key for establishing an encryption key from the sender device to the recipient communication of a sender device; encryption of said reference by said sender device using said first public encryption key; encryption of said first public encryption key by said sender device using an additional public encryption key ; sending the encrypted reference and the encrypted first public encryption key by the sender device to the receiver device; sending the encrypted first public encryption key by the receiver device to the at least one third device an encryption key; decrypting, by the at least one third device, the encrypted first public encryption key; sending, by the at least one third device, the decrypted first public encryption key to the recipient device; decrypting, by the recipient device, the encrypted reference; and verifying, by the recipient device, the decrypted reference.

The system may also include a fourth device and a fifth device, and the sender device may be associated with the fourth device, the receiver device is associated with the fifth device, and the fourth device associated with said fifth device; and wherein, in the absence of at least one third device that is both a device in said first device group and said second device group, said method may include : sending, by the sender device, a request related to requesting a reference from the fifth device with respect to the recipient device, wherein the request is sent to the recipient device; sending by the recipient device to the The fifth device forwards the request; the fifth device sends the reference to the receiver device; the receiver device forwards the reference to the sender device; the sender device sends the reference to the sender device the fourth device sends the reference; the fourth device verifies the reference, and the fourth device sends the verified reference to the sender device; the sender device creates a first public encrypted a key for establishing communication from said sender device to said receiver device; said reference is encrypted by said sender device using said first public encryption key; used by said sender device encrypting the first public encryption key with an additional public encryption key; sending the encrypted reference and the encrypted first public encryption key by the sender device to the receiver device; The device sends the encrypted first public encryption key to the fourth device via the fifth device; the encrypted first public encryption key is decrypted by the fourth device; The fifth device sends the decrypted first public encryption key to the recipient device; decrypts, by the recipient device, the encrypted reference; and verifies, by the recipient device, the decrypted reference.

According to a second aspect, there is provided a method performed by a sender device to achieve authentication, the method comprising: creating an identity of the sender device; A request related to establishing a relationship between a party device, wherein the request includes at least an identifier of a first device group; receives at least an identifier of a second device group from the recipient device; Where there is at least one public third device in the device group, sending a request related to requesting a reference from the at least third device with respect to the recipient device; receiving the reference from the recipient device; creating a first a public encryption key for establishing communication from said sender device to said recipient device; encrypting said reference using said first public encryption key; encrypting said first public encryption key using an additional public encryption key encrypting with a public encryption key; sending the encrypted reference and the encrypted first public encryption key to said recipient device.

The sender device may be associated with a fourth device, the recipient device may be associated with a fifth device, and the fourth device may be associated with the fifth device; and wherein, at the first In the case that there is no at least one common third device in the device group and the second device group, the method may further include: sending a request related to requesting a reference from the fourth device about the recipient device; Wherein, the request may be forwarded from the fourth device to the fifth device; receive the reference from the fourth device; create a first public encryption key for establishing the communication from the sender device to the fifth device; encrypting the reference using the first public encryption key; encrypting the first public encryption key using an additional public encryption key; and sending the encrypted An encrypted reference and an encrypted first public encryption key.

The reference may include a serial number, and the reference may be related to the identification of the recipient device performed by the third device, and the reference may be associated with the sender device.

The first public encryption key may be arranged to be used by the sender device in future communications from the sender device to the receiver device.

The method may further comprise creating an additional public encryption key for establishing communication from the sender device to the second recipient device, wherein the additional public encryption key may be identical to the first public encryption key different.

The method may further comprise: sending to a first auxiliary device a request related to establishing a relationship between the sender device and the receiver device; requesting a reference-related request for the recipient device; and sending the encrypted reference and the encrypted first public encryption key to the first accessory device.

The request related to establishing a relationship between the sender device and the recipient device, the request related to requesting a reference to the recipient device from the at least a third device, and the already The encrypted reference and the encrypted first public encryption key may also include a digital signature, and the digital signature may be associated with the sending device.

According to a third aspect, there is provided a method performed by a recipient device to achieve authentication, wherein the method comprises: creating an identity of the recipient device; A request related to establishing a relationship between sender devices, wherein the request includes at least an identifier of a first device group; at least sends an identifier of a second device group to the sender device; When there is at least one public third device in the two-device group, sending a request related to requesting a reference from the at least third device about the receiver device; sending the reference to the sender device; The recipient device receives the encrypted reference and the encrypted first public encryption key; sends the encrypted first public encryption key to the at least one third device; receives the decrypted first public encryption key; decrypting the encrypted reference; and verifying the decrypted reference.

The sender device may be associated with a fourth device, the recipient device may be associated with a fifth device, and the fourth device may be associated with the fifth device; and in the first device group In the case that there is no at least one common third device in the second device group, the method may further include: sending a request related to requesting a reference from the fifth device about the recipient device; wherein the The request is forwarded from the fourth device to the fifth device; the reference is sent to the fifth device; the encrypted reference and the encrypted first public encryption key are received; The fourth device sends the encrypted first public encryption key; receives the decrypted first public encryption key; decrypts the encrypted reference; and verifies the decrypted reference.

According to a fourth aspect, there is provided a method performed by a third device to achieve authentication, wherein the method comprises: creating an identity of the third device; receiving a reference request for the recipient device from a recipient device; sending, by the third device, a reference to the recipient device; receiving an encrypted first public encryption key; decrypting the encrypted first public encryption key; and sending the decrypted public encryption key to the recipient device A first public encryption key.

The reference may be related to an identification of the recipient device performed by the third device, and the reference may be associated with the sender device.

According to a fifth aspect, there is provided a communication device comprising circuitry configured to perform the method according to any one of the first, second, third or fourth aspects.

According to a sixth aspect there is provided a computer program product comprising: computer program code stored on a computer-readable storage medium and which, when executed on a processor, performs the 1. The method according to any one of the second, third or fourth aspects.

According to a seventh aspect, there is provided a method in a communication system for implementing authentication of a sender device and a receiver device in the communication system, wherein the sender device is associated with the first identifier and the first master device is associated with a third device; the recipient device is associated with a second identity, a second master device, and the third device; and wherein the authentication is achieved by using the first master device, the second master device, and the third device, so that the sender device and the receiver device verify each other's identities.

According to an eighth aspect, there is provided a method performed by a sender device to implement authentication, the method comprising: creating an identity of the sender device; receiving at least the identification of the second main device; sending the identification of the second main device to the first main device; receiving a message related to the confirmation of the communication condition; When the device satisfies the communication condition, provide the first master device with the first access key.

According to a ninth aspect, there is provided a method performed by a recipient device to achieve authentication, the method comprising: creating an identity of the recipient device; receiving and establishing a relationship between a sender device and the recipient device Related requests; sending at least the identity of the second master device to the sender device; receiving a message related to the confirmation of the communication condition; and when the sender device meets the communication condition, sending the Provide a second access key.

The second, third, fourth, fifth, sixth, seventh, eighth and ninth aspects may generally have the same features and advantages as the first aspect.

The features of the eighth aspect may also be the features of the second aspect. The features of the ninth aspect may also be the features of the third aspect.

Other aspects, features and advantages of the disclosed embodiments of the present invention will become apparent from the following detailed disclosure, appended claims and drawings.

Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/a/the [element, device, component, means, step, etc.]" should be construed openly as referring to at least one instance of the element, device, component, means, step, etc., Unless expressly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

Description of drawings

Embodiments of the invention will now be described in more detail with reference to the accompanying drawings, in which:

1 is a schematic diagram of a communication system according to an embodiment;

Figure 2 is a schematic diagram of a communication system according to an embodiment;

Figure 3 is a schematic diagram of a communication system according to an embodiment;

Figure 4 is a schematic diagram of a communication system according to an embodiment;

5 is a schematic diagram of a communication system according to an embodiment;

Figure 6 is a flowchart of a method according to an embodiment;

Detailed ways

Embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings in which specific embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of illustration so that this disclosure will be thorough and complete, and will convey to Those skilled in the art will fully convey the scope of the present invention. Furthermore, like numerals refer to like elements throughout.

FIG. 1 shows a schematic diagram of an example communication system 100 in which the disclosed embodiments may be applied. The communication system 100 includes a plurality of communication devices 102, 104, 106, 110, 112, 114, which may or may not be capable of communicating with each other. A method will be described below in which a first communication device 102 (hereinafter denoted sender device 102 ) wishes to establish a connection with a second communication device 104 (hereinafter denoted receiver device 104 ). It should be understood that in the communication system 100, the communication device 102 is not limited to only being a sender device, alternatively, it may be a receiver device or function as both a sender device and a receiver device. Similarly, in the communication system 100, the communication device 104 is not limited to only being a receiver device, alternatively, it may be a sender device or function as both a receiver device and a sender device. That is, any communication device in communication system 100 may include both sender and receiver capabilities. The sender or receiver device can also act as a third party device. The functionality of the third party device is further described below. It should be noted, however, that when communication is to be established between the sender device 102 and the receiver device 104, neither the sender device 102 nor the receiver device 104 may act as a second device in the process of establishing the communication between the devices 102 and 104. Third-party devices.

The following will assume that at least a portion of system 100 is in operation.

When communication devices 102, 104, 106, 108, 110, 112, 114 are connected to system 100, each communication device 102, 104, 106, 108, 110, 112, 114 may create a The unique identification or identity of the communication device 102, 104, 106, 108, 110, 112, 114. It should be noted that the unique identity defined by this identification may not be verified by any other communication devices 102 , 104 , 106 , 108 , 110 , 112 , 114 in the system 100 . Other devices in system 100 accept this unique identity when establishing a relationship (ie, communicating). Therefore, this unique identity is used for matching purposes and may not have a controlling authority. Furthermore, as will be explained below, even if a second device in system 100 copies the unique identity of a first device in system 100, or alternatively, the identity of the first device happens to be the same as the identity of the second device, this The process of establishing a digital relationship between two devices in system 100 will not be affected.

Typically, this unique identity may take the form of a sequence of random binary numbers or integers. The longer the sequence, the higher the probability of generating a sequence that is unique to each communication device 102 , 104 , 106 , 108 , 110 , 112 , 114 . The unique identity may alternatively or additionally be associated with a serial number of the communication device 102 , 104 , 106 , 108 , 110 , 112 , 114 .

Accordingly, a communication device 102 , 104 , 106 , 108 , 110 , 112 , 114 capable of communicating with other communication devices 102 , 104 , 106 , 108 , 110 , 112 , 114 is associated with a digital identity. Digital identities can also be associated with referenced numbers. A reference to a digital identity may be related to that provided by the other communication device 102, 104, 106, 108, 110, 112, 114 with respect to the communication device 102, 104, 106, 108, 110, 112, 114 associated with said digital identity Collated information is related. References are discussed further below.

In an initial step, the sender device 102 creates an identity of the sender device 102 and the recipient device 104 creates an identity of the recipient device 104 . Typically, a communication device 102, 104, 106, 108, 110, 112, 114 may only need to create an identity once.

Each communication device 102, 104, 106, 108, 110, 112, 114 may track each established communication by, for example, associating each established communication with a serial number. A serial number is associated with a communication device with which communication has been established.

In FIG. 1, solid lines 116, 118, 120, 122, 124, 126, 128, 130 between two communication devices 102, 104, 106, 108, 110, 112, 114 represent Communication between the two communication devices at each end of 120, 122, 124, 126, 128, 130 has previously been established. For example, assume that the recipient device 104 has previously established communication with the communication devices 106 , 110 , 112 as indicated by the solid lines 130 , 122 , 124 in FIG. 1 . As indicated by dashed line 132, communication is about to be established between the sender device 102 and the recipient device 104. As shown in FIG.

Assume further that the relative order in which communications are established from recipient device 104 to communication devices 106 , 110 , 112 is established in order 106 , 112 , 110 . That is, the communication from recipient device 104 to communication device 112 is established before the communication from recipient device 104 to communication device 110 is established, and after the communication from recipient device 104 to communication device 106 is established.

All serial numbers of the communication devices may be associated with the list of serial numbers. Preferably, the list is stored in the communication device. Let L104 denote a list of serial numbers of recipient devices 104 . The additional identification information of communication device 106 as explained by sender device 104 is denoted as ID(104, 106), and similarly, ID(104, 110) and ID(104, 112) are used for communication devices 110 and 112 respectively .

The sequence number of the communication established from the first communication device to the second communication device may also include a number indicating the relative order in which the communication was established from the second device to the first device. Assume that communication device 110 establishes communication with devices 104 , 112 , 114 in order 112 , 104 , 114 . That is, in this example scenario, the communication from communication device 110 to sender device 104 is the second (2nd) communication established from communication device 110 . Similarly, assume that in this example, the communication from third device 106 to recipient device 104 is the third (3rd) communication established from third device 106; assume that in this example, the communication from communication device 112 to recipient The communication of device 104 is the fifth (5th) communication established from the third device 112 .

So in this example scenario, the list L (104) of serial numbers of recipient devices 104 may have the following form:

L(104) = ID(104, 106), 3

ID(104, 112), 5

ID(104, 110), 2

Thus, using such a list of serial numbers included in a communication device 102, 104, 106, 108, 110, 112, 114 allows two or more communication devices 102, 104, 106, 108, 110, 112, 114 are associated with the same unique identity without creating conflicting claims in communication system 100 .

Assume that as shown in dotted line 132 in Figure 1, the sender device 102 wishes to establish communication with the receiver device 104, the sender device 102 sends to the receiver device 104 and establishes a relationship between the sender device 102 and the receiver device 104 related requests.

The recipient device 104 then sends to the sender device 102 the identification of at least the second master device 154 . When receiving the identity of the second master device 154 , the sender device 102 forwards the identity of the second master device 154 to the first master device 152 .

The first master device 152 and the second master device 154 may be considered digital notaries. A digital notary can be a company, agency, or authority, etc., that can act as a notary in digital communication systems and networks. Thus, the digital notary can provide authenticated digital evidence. The digital evidence will be further disclosed below. Digital evidence can also provide archives and/or functions and/or means. Certification of master devices 152 and 154 by the organization may be required, see below.

Then the first master device 152 sends a request related to the communication condition to the second master device 154 , wherein the condition according to the second master device 154 needs to be satisfied in order for the sender device 102 to establish communication with the receiver device 104 . A communication condition may be associated with a set of values that may be related to security issues and identification issues. For example, the identification issue may relate to a communication strategy, such as a communication protocol, used between the sender device 102 and the recipient device 104 . It should be noted that the first master device 152 need not communicate the identity of the sender device 102 to the second master device 154 .

The second master device 154 then sends the communication conditions to the first master device 152 . In the case that the sender device 102 satisfies the communication condition, the first master device 152 may confirm to the second master device 154 that the communication condition is satisfied. Similarly, the first master device 152 may communicate to the second master device 154 a communication condition that the recipient device 104 needs to satisfy in order to establish communication with the sender device 102 .

The sender device 102 may then provide the first access key to the first master device 152 and the recipient device 104 may provide the second access key to the second master device 154 . Access rights can thus be achieved by using such an access key.

Communications related to the sender device 102 and the recipient device 104 can then be effected between the first master device 152 and the second master device 154 . By using the first master device 152 and the second master device 154, authentication of the sender device 102 and the receiver device 104 can be achieved.

The request sent from the sender device 102 to the recipient device 104 related to establishing a relationship between the sender device 102 and the recipient device 104 may include an identification of at least the first group of devices 106 , 108 . The first device group 106, 108 is a group of devices with which the sender device 102 has previously established communication. In this case, the disclosed method can continue as follows. Recipient device 104 receives the request. In response to the request, the recipient device 104 analyzes the identities of the devices included in the first device group 106, 108 and compares these identities with the intermediary device groups 106, 110, 112 with which the recipient device has previously established communication. . The recipient device 104 then sends to the sender device 102 an identification of at least the second device group. The second device group includes devices 106 included in both the first device group and the intermediate device group. That is, the second group includes devices 106 that are common and known to both the sender device and the recipient device, or in other words, devices with which both the sender device 102 and the recipient device 104 have previously established a connection. That is, if the sender device 102 and the recipient device 104 do not have a common communication device with which they both have previously established communication, then the second group may be represented by an empty set. The sender device 102 then receives the identification of the second group.

In case there is at least one common device (hereinafter denoted third device 106 ) in the first device group and said second device group, the establishment of the communication between the sender device and the receiver proceeds as follows. The sender device 102 requests a reference to the recipient device 104 from at least one public third device 106 .

References have been briefly discussed above. References can be based on hash values. Hash values themselves are well known in the art and are therefore not further described in this disclosure. A reference may also be based on a collection of claims, wherein the claims may be related to, among other things, contact information (eg, name and/or address) of the user of the device to which the reference is associated. For example, if the reference is associated with the recipient device 104, the reference may include the name and/or address of the recipient device 104 and/or the user of the recipient device 104. References can be included in XML documents.

Additionally, references can be associated with senders and receivers. In other words, therefore, the reference can be considered to be signed (by the sender) to the recipient, wherein the signature used to sign the reference thus advantageously comprises the identification of the recipient device.

Optionally, when a reference is sent from a first device to a second device, such as when a reference is sent from recipient device 104 to sender device 102, the reference can be encrypted, which generally improves the confidentiality and privacy of the transmission. Security, especially to improve the confidentiality and security of the transmission of references.

The sender device 102 requests a reference to the recipient device 104 from the third device 106, wherein the reference sent from the third device 106 is addressed to and associated with the sender device 102, and wherein the reference includes The sent message of can be encrypted by the third device 106 so that only the sender device 102 can decrypt the portion of the message that includes the reference. The sender device 102 may, for example, request information related to the identification of the recipient device 104 as performed by the third device 106 .

That is, the third device 106 may perform the identification of the recipient device 104 by comparing the references or reference values. The reference value can be a hash value. Alternatively, the reference value may be a serial number. Alternatively, the reference may be identity information received from the sender device. References or reference values can be a combination of hash values, serial numbers, and identity information.

The third device 106 can therefore be considered a trusted third part. Information related to the identification of the recipient device 104 may be associated with a previously established communication between the recipient device 104 and the third device 106 .

When the sender device 102 receives a reference from the third device 106, where the reference has been sent from the third device 106 to the sender device 102 via the recipient device 104, the sender device 102 can combine the information included in the reference with The reference is checked against previously stored information associated with the third device 106, such as a serial number associated with a previous communication between the sender device 102 and the third device 106. If the portion of the message including the reference has been encrypted by the third device 106, the sender device 102 may first need to decrypt the message.

The reference may also be associated with the sender device 102 by incorporating an address field in the reference and adding the identity of the sender device 102 in the address field. This increases the security of the process, because the sender device 102 can ensure that the information transmitted to the third device 102 is associated with the sender device 102, even though the request is sent from the sender device 102 to the receiver device 104, while is not sent directly from the sender device 102 to the third device 106 . That is, the recipient device 104 receives the reference request, and the recipient device 104 forwards the reference request to the third device 106 . The third device 106 thus receives a reference request for the recipient device 104 from the recipient device 104 . The third device 106 then sends the reference to the recipient device 104 . The recipient device 106 thus receives the reference and sends the reference to the sender device 102, which receives and verifies the reference.

The sender device 102 may then create a first public encryption key for use in establishing communications from the sender device 102 to the recipient device 104 .

The sender device 102 then encrypts the received reference using the created first public encryption key. Furthermore, the sender device 102 encrypts the created first public encryption key using an additional public encryption key associated with a previously established communication between the sender device 102 and the third device 106 couplet. The encrypted first public encryption key and the encrypted received reference are then sent from the sender device 102 to the recipient device 104 . The recipient device 104 therefore has no knowledge of the first public encryption key created by the sender device 102 . Additionally, the recipient device 104 has no knowledge of additional public encryption keys associated with previously established communications between the sender device 102 and the third device 106 . Accordingly, the recipient device 104 is unable to decrypt neither the encrypted first public encryption key nor the encrypted received reference.

In order for the recipient device 104 to verify the information related to the previously established communication between the recipient device 104 and the third device 106 included in the encrypted reference, the recipient device 104 forwards the encrypted first public encryption key to to the third device 106 . The message sent from the recipient device 104 to the third device 106 also includes a request related to decrypting the encrypted first public encryption key. Since the first public encryption key has been encrypted with the additional public encryption key associated with the previously established communication between the sender device 102 and the third device 106 as described above, the third device 106 is able to encrypt the encrypted The first public encryption key for decryption. The decrypted first public encryption key may then be sent back from the third device 106 to the recipient device 104 . For increased security, the third device 106 may encrypt the decrypted first public encryption key with an additional public encryption key using other public encryption keys, wherein the additional public encryption key is identical to the is associated with a previously established communication between the recipient device 104.

Since the recipient device 104 knows the other public encryption key that was used to encrypt the first public encryption key, the recipient device 104 can decrypt the received encrypted first public encryption key after receiving .

Thus, using the decrypted first public encryption key, the recipient device 104 can decrypt previously received encrypted references related to previously established communications between the recipient device 104 and the third device 106 . The recipient device 104 can then verify the content of the reference. That is, by comparing the information included in the reference with the information included in the recipient device 104 (e.g., a serial number), the recipient device 104 can verify that the information included in the reference is correct and indeed consistent with the A previously established communication between the three devices 106 is related.

If the reference includes a hash value (as described above), recipient device 104 may calculate a hash value of the first public encryption key. The recipient device 104 may then compare this calculated hash value to the hash value included in the reference to verify that during transmission from the third device 106 to the sender device 102 via the recipient device 104, or The reference is not altered during transmission from the third device 106 to the recipient device 104 .

It can be considered that the established communication between the sender device 102 and the recipient device 104 defines a digital contract. Thus, a digital contract may relate to a digital relationship between two or more communication devices 102, 104, 106, 108, 110, 112, 114, wherein the contract may include information related to digital signatures and/or digital evidence (as further disclosed below). When a communication device 102, 104, 106, 108, 110, 112, 114 interacts or communicates with other communication devices 102, 104, 106, 108, 110, 112, 114, the digital contract thus created may be used to identify the communication Devices 102, 104, 106, 108, 110, 112, 114. Digital contracts can be used for authentication, access rights and/or signature purposes. Thus digital contracts can be used to retrieve references.

FIG. 2 shows a schematic diagram of a communication system 200 to which the present invention is applicable. As in communication system 100 of FIG. 1 , communication system 200 includes a plurality of communication devices 102, 104, 202, 204, 206, 208, 210, which may or may not be in communication with each other.

It will be assumed below that the system 200 is in operation and that communication is to be established between the sender device 102 and the receiver device 104 as indicated by dashed line 224 .

As in the method disclosed above with reference to the communication system 100 of FIG. 1 , in the communication system 200 a first device 102 (denoted as a sender device) wishes to establish communication with a second device 104 (denoted as a receiver device). In the example scenario of FIG. 2 , sender device 102 is associated with communication devices 202 and 208 . That is, as shown by solid lines 212 and 218 , sender device 102 has previously established communication with communication devices 202 and 208 . Similarly, the recipient device has previously established communication with communication devices 204 , 206 , and 210 as shown by solid lines 216 and 222 .

It can therefore be concluded that, according to the circumstances, the sender device 102 and the receiver device 104 do not share a common communication device. In the language set forth above with reference to FIG. 1 , the second group can be represented by the empty set. However, assume that the sender device 102 is associated with the fourth device 202 . Furthermore, the recipient device 104 is associated with a fifth device 204 . Additionally, as shown by solid line 214 , fourth device 202 is associated with fifth device 204 . See further below the description associated with FIG. 3 .

Wherein, in the absence of at least one common third device in the first device group and the second device group, the establishment of the communication between the sender device and the receiver may proceed as follows.

The sender device 102 sends a request including at least an identification of at least one subgroup associated with the fourth device 202 with which the sender device 102 is associated. The request is received by recipient device 104 . The recipient device 104 analyzes the identification of the at least one subgroup included in the request and compares the identification to a list including the at least one subgroup associated with the recipient device 104 .

In case at least one common subgroup is found, the recipient device 104 sends to the sender device 102 an identification of at least one common subgroup associated with at least the fifth device 204 . Thus, the at least one common subgroup is associated with both the sender device 102 and the recipient device 104 . It can thus be considered that the sender device 102 can be associated with the receiver device 104 via the fourth device 202 and the fifth device 204 .

The identification of the at least one common subgroup is then received by the sender device 102 . The sender device 102 then sends a message to the recipient device 104 , wherein the sender device 102 requests a reference about said recipient 104 from the fifth device 204 . The message also includes information that the reference is to be verified by the fourth device 202 . The request is forwarded by the recipient device 104 to the fifth device 204 . After receipt, the fifth device 204 sends the reference to the recipient device 104, and the recipient device 104 forwards the reference to the sender device.

However, since it can be assumed that communication between the sender device 104 and the fifth device 204 has not been established (otherwise, the sender device 102 and the receiver device 104 should have the fifth device 204 as a public device), the sender device 102 may not be able to Validate received referrals. Accordingly, the sender device 102 sends the received reference to the fourth device 202 for verification, wherein the message sent from the sender device 102 to the recipient device 202 may also include information about the source of the reference. For the present case, the source cited is the fifth device 204 . After receiving and verifying the reference, the fourth device 202 sends the verified reference to the sender device 102 . The message from the fourth device 202 to the sender device 102 may also include authentication information related to the source of the reference. That is, for the present case, the verification information related to the referenced source discloses the fifth device 204 as the source.

The sender device 102 may then create a first public encryption key for use in establishing communications from the sender device 102 to the recipient device 104 .

The sender device 102 then encrypts the received reference using the created first public encryption key. Furthermore, the sender device 102 encrypts the created first public encryption key using an additional public encryption key, wherein the additional public encryption key is associated with a previously established communication between the sender device 102 and the fourth device 202 couplet. The encrypted first public encryption key and the encrypted received reference are then sent from the sender device 102 to the recipient device 104 . Accordingly, the recipient device 104 has no knowledge of the first public encryption key created by the sender device 102 . Additionally, the recipient device 104 has no knowledge of additional public encryption keys associated with previously established communications between the sender device 102 and the fourth device 202 . Accordingly, the recipient device 102 is unable to decrypt neither the encrypted first public encryption key nor the encrypted received reference.

In order for the recipient device 104 to verify the information related to the previously established communication between the recipient device 104 and the fifth device 204 included in the encrypted reference, the recipient device 104 forwards the encrypted first public encryption key to to the fifth device 204 . The message sent from the recipient device 104 to the fifth device 204 also includes a request related to decrypting the encrypted first public encryption key.

Since the first public encryption key has been encrypted with the additional public encryption key associated with the previously established communication between the sender device 102 and the fourth device 202 as described above, the fifth device 204 cannot encrypt the encrypted The first public encryption key for decryption. Therefore, in order to decrypt the encrypted first public encryption key, the fifth device 204 forwards the request to the fourth device 202, so that the fourth device 202 is able to decrypt the encrypted first public encryption key. The decrypted first public encryption key may then be sent back from the fourth device 202 to the recipient device 104 via the fifth device 204 . For increased security, the fourth device 202 and the fifth device 204 may use other public encryption keys to encrypt the decrypted first public encryption key. During the transmission from the fourth device 202 to the fifth device 204 and during the transmission from the fifth device 204 to the recipient device 104, separate encryption keys are used.

Thus, using the decrypted first public encryption key, the recipient device 104 can decrypt previously received encrypted references related to previously established communications between the recipient device 104 and the fifth device 204 . The recipient device 104 can then verify the content of the reference. That is, by comparing the information included in the reference with the information included in the recipient device 104 (e.g., a serial number), the recipient device 104 can verify that the information included in the reference is correct and indeed consistent with the A previously established communication between the five devices 204 is related.

If the reference includes a hash value (as described above), recipient device 104 may calculate a hash value of the first public encryption key. The recipient device 104 may then perform a comparison between this calculated hash value and the hash value included in the reference to verify that the reference has not been altered during transmission.

In the event that there is no subgroup common to the sender device 102 and the recipient device 104, the recipient device 104 may send a message to the sender device 102 indicating that no common subgroup was found. The recipient device 104 may also request the sender device 102 to send a new request including at least an identification of at least one subgroup associated with the sender device 102, and which identification was not previously sent from the sender device 102 to the recipient device 104 . The recipient device 104 then receives the new request and analyzes the identification as described above. The outlined process can continue until a common subgroup is found. Alternatively, the process of establishing communication between the sender device 102 and the recipient device 104 may be terminated if no common subgroup is found. Alternatively, if no common subgroup is found, the sender device 102 and recipient device 104 may search for common devices associated with higher hierarchical levels as described below.

FIG. 3 shows an example of a communication system 300 in which communication has previously been established between the fourth device 202 and devices 102 and 302, as shown by solid lines 308 and 310, respectively, and wherein, as shown by solid lines 318, As indicated by 314 and 316, communications have been established between the fifth device 204 and the devices 104, 304, and 306, respectively. Additionally, as indicated by dashed line 320, the sender device 102 and the recipient device 104 are about to establish communication. Accordingly, devices 102 , 202 , and 302 can be considered to represent a first subset of communication systems 300 , while devices 104 , 204 , 304 , and 306 can be considered to represent a second subset of communication systems 300 . It can also be considered that these subgroups represent different categories.

Subgroups may eg represent different geographic locations, eg different countries or parts thereof. Thus, in this case, the fourth device 202 and the fifth device 204 may, for example, represent or represent different government agencies of the respective countries associated with the fourth device 202 and the fifth device 204, respectively. For example, the fourth device 202 may be geographically located in a first country and the fifth device 204 may be geographically located in a second country different from the first country. Examples of suitable government agencies may include agencies responsible for handling identification information, such as the National Identity Registry. Thus, it can be considered that the fourth device 202 and the fifth device 204 represent so-called trusted third parties.

Government agencies in different countries may be associated with organizations, such as a global trust center, which may enforce or recommend communication conditions that communication devices should meet in order to be able to establish communication with each other. Thus, the organization can communicate these communication conditions to the master device disclosed above. Additionally, the organization may be required to authenticate the master device.

Where communication system 300 is associated with a joint stock company, different subgroups may represent different departments or divisions within the joint stock company. Thus, in this case, the fourth device 202 and the fifth device 204 (which are associated as shown by the solid line 312) may, for example, represent each department or department associated with the fourth device 202 and the fifth device 204 respectively. Different data service centers associated with branches. Other examples include, but are not limited to, different internet service providers, internet communities, bank memberships, club memberships, etc. General requirements and/or agreements: The sender device 102 and the receiver device 104 trust the authority, agency, company, etc. (by the fourth device 202 and the five devices 204). Again, it can be considered that the fourth device 202 and the fifth device 204 represent so-called trusted third parties. Those skilled in the art will appreciate that these are just a few examples to which the present invention is applicable.

In general, it can thus be assumed that at least one device in each subgroup (here, exemplified by the fourth device 202 in the first subgroup and the fifth device 204 in the second subgroup, respectively) has communicated with another subgroup. The devices in the group establish communication. Furthermore, in some cases, it may be assumed that one of the subgroup devices (eg, the fourth device 202 in the first subgroup and the fifth device 204 in the second subgroup, respectively) may act as responsible for providing A government agency that issues membership to a device.

Additionally, a communication device may be associated with a plurality of different subgroups, where each associated subgroup is associated with a different application. For example, on the one hand, a communication device can be associated with a bank member, and on the other hand, a communication device can be associated with an Internet community at the same time.

FIG. 4 shows a schematic diagram of a communication system 400 similar to the communication system 300 of FIG. 3 to which the present invention is applicable. As in FIG. 3 , the sender device 102 wishes to establish communication with the recipient device 104 as indicated by the dotted line 422 , wherein the sender device 102 is associated with the first subgroup via the fourth device 202 as indicated by the solid line , and the recipient device 104 is associated with the second subset via the fifth device 204 . According to the scenario disclosed in FIG. 4 , the first subgroup includes devices 102 , 202 and 412 , while the second subgroup includes devices 104 , 204 and 420 . Referring to the above, the first and second subgroups may represent different countries. For example, a first subgroup may represent devices in a first country and a second subgroup may represent devices in a second country. The fourth device 202 and the fifth device 204 may then act as government agencies.

In this example, sender device 102 is also associated with a third subgroup including devices 102, 406, 408, and 410, as indicated by the dashed line, and, as indicated by the dotted line, is also associated with A fourth subgroup including devices 102, 414, 416, and 418 is associated. For example, a third subgroup may represent devices associated with the same bank, while a fourth subgroup may represent devices associated with the same Internet service provider.

FIG. 5 shows a schematic diagram of a communication system 500 similar to the communication system 100 of FIG. 1 to which the present invention is applicable. As in communication system 100 of FIG. 1 , communication system 200 includes a plurality of communication devices 102, 104, 106, 108, 110, 112, 114, 502, 504, which may or may not be in communication with each other.

The following will assume that the system 500 is in an operational state.

As in the method disclosed above with reference to the communication system 100 of FIG. 1 , in the communication system 500 a first device 102 (denoted as a sender device) wishes to establish communication with a second device 104 (denoted as a receiver device). As in FIG. 1 , solid lines 510 , 512 , 514 , 516 , 518 , 520 , 522 , 524 , 526 between two communication devices 102 , 104 , 106 , 108 , 110 , 112 , 114 , 502 , 504 represent Communication between the two communication devices at each end of the solid lines 510, 512, 514, 516, 518, 520, 522, 524, 526 has previously been established. That is, as in the example situation of diagram 500, there have been previously Communication is established between 106 , and between recipient device 104 and second auxiliary device 504 . As indicated by dashed line 528, communication is to be established between sender device 102 and recipient device 104. Referring now to FIG.

It can be considered that the first and second secondary devices 502 and 504 represent digital evidence for the sender device 102 and the recipient device 104, respectively. That is, all relationships established involving the sender device 102 may be required to be monitored by the first secondary device 502 . Thus, more generally, all relationships may be required to be monitored by secondary devices; the first secondary device 502 monitors the operation of the sender device 102 and/or the messages sent and received by the sender device 102, while the second secondary device 504 monitors the received operation of the party device 102 and/or messages sent and received by the recipient device 102. It can thus be considered that the monitoring process of the first and second secondary devices 502, 504 involves collecting message transaction information, such as the sender and/or recipient of the message. The monitoring process of the first and second secondary devices 502, 504 may also include providing time stamps and/or digital signatures to sent messages. Timestamps and digital signatures per se are well known in the art and therefore will not be discussed further in this disclosure. When establishing communication between the sender device 102 and the recipient device 104, the first accessory 502 of the sender device 102 and the second accessory 504 of the recipient device 204 may also be required to establish communication.

Next, referring to the communication system 500 of FIG. 5 , a process for terminating a communication established between the sender device 102 and the receiver device 104 will be disclosed. However, the process also applies mutatis mutandis to the communication systems 100, 200, 300 and 400 of FIGS. 1-4.

At the outset, it should be understood that where the first secondary device 502 monitors the operation of the sender device 102 and/or the messages sent and received by the sender device 102, the messages sent by the sender device 102 include two digital signatures; A signature is associated with the sender device 102 and a digital signature is associated with the first secondary device 502 .

Thus, with the first secondary device 502 monitoring all communication relationships established by the sender device 102, the sender device 102 can terminate the connection between the sender device 102 and the receiver device 104 by sending a message to the first secondary device 502. A communication established between , wherein the message includes information for declaring that the first auxiliary device 502 should not insert a digital signature into the monitored message. That is, in this case, the message sent by the sender device 102 includes a digital signature that is associated with the sender device 102 . If the recipient device 104 receives a message that does not include the digital signature of the first auxiliary device 502, the recipient device 502 may choose to classify the received message as incomplete so that its content may be further ignored. Since the recipient device 104 ignored the content of the received message, it may be assumed that the communication established from the sender device 102 to the recipient device 104 and/or the communication established between the sender device 102 and the recipient device 104 has been terminated. communication. Alternatively, the recipient device 104 may send a message to the sender device 102 stating that the received message was interpreted as incomplete because it did not include the digital signature of the first secondary device 502 .

A method for authenticating a sender device 102 and a receiver device 104 in a communication system 100, 200, 300, 400, 500, which has been disclosed above with reference to FIGS. method. Therefore, this method can be summarized as comprising: at step 602, the identification of the sending device 102 is created by the sending device 102; at step 604, the identification of the receiving device 104 is created by the receiving device 104; The sender device 102 sends to the receiver device 104 a request related to establishing a relationship between the sender device 102 and the receiver device; at step 608, the receiver device 104 sends to the sender device 102 the information of at least the second master device 154 identification; in step 610, the identification of the second master device 154 is sent by the sender device 102 to the first master device 152; The receiver device 104 establishes a request related to the communication conditions required for communication; in step 614, the communication condition is sent from the second master device 154 to the first master device 152; in step 616, if it is determined that the sender device 102 meets the communication condition, Then at step 618 , the sender device 102 provides the first access key to the first master device 152 ; and at step 620 , the receiver device 104 provides the second access key to the second master device 154 .

It should be noted that systems and methods for establishing communication from the sender device 102 to the recipient device 104 have been disclosed. However, those skilled in the art will understand that since, as described above, the sender device may also include the functionality of the receiver device 104, and vice versa, the communication from the receiver device 104 to the sender device 102 may be established in the same manner. communication. Accordingly, the sender device 102 may interchangeably act as the recipient device 104, and vice versa. It can therefore be considered that the systems and methods described above can be adapted to establish communications between the sender device 102 and the receiver device 104 .

Above, the present invention has been mainly described with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims.

Claims (16)

1. A method in a communication system for authenticating a sender device and/or a receiver device in the communication system, the method comprising: creating, by the sender device, an identity of the sender device; creating, by the recipient device, an identification of the recipient device; sending, by the sender device to the recipient device, a request related to establishing a relationship between the sender device and the recipient device; sending at least an identifier of a second master device to the sender device by the receiver device; sending the identifier of the second master device to the first master device by the sender device; sending a request from the first master device to the second master device related to communication conditions required by the sender device in order to establish communication with the receiver device; sending the communication condition from the second master device to the first master device; and In the case that the sender device meets the communication condition: providing, by the sender device, to the first master device a first access key associated with the sender device; and A second access key associated with the recipient device is provided by the recipient device to the second master device. 2. The method of claim 1, wherein the request to the recipient device related to establishing the relationship between the sender device and the recipient device includes at least an identification, the method also includes: receiving, by the recipient device, the request; sending, by the recipient device to the sender device, at least an identification of a second device group; and receiving, by the sender device, a second set of the identities; In case there is at least one third device being one of the devices belonging to both said first device group and said second device group: sending, by the sender device, a request related to requesting a reference from the at least one third device with respect to the recipient device; receiving, by the recipient device, the reference request, and sending, by the recipient device, the request to the at least one third device; receiving, by the recipient device, the reference, and sending, by the recipient device, the reference to the sender device; receiving, by the sender device, the reference; in response thereto: creating, by the sender device, a first public encryption key for use in establishing communications from the sender device to the receiver device; encrypting, by the sender device, the reference using the first public encryption key; encrypting, by the sender device, the first public encryption key using an additional public encryption key; sending, by the sender device, the encrypted reference and the encrypted first public encryption key to the receiver device; sending, by the recipient device, the encrypted first public encryption key to the at least one third device; decrypting the encrypted first public encryption key by the at least one third device; sending, by the at least one third device, the decrypted first public encryption key to the recipient device; decrypting the encrypted reference by the recipient device; and The decrypted reference is verified by the recipient device. 3. The method of claim 2, wherein the system further comprises a fourth device and a fifth device, and the sender device is associated with the fourth device, the receiver device is associated with the a fifth device is associated, and the fourth device is associated with the fifth device; and wherein in the absence of one of the devices belonging to both the first device group and the second device group In the case of at least one third device, the method further includes: sending, by the sender device, a request related to requesting a reference to the recipient device from the fifth device, wherein the request is sent to the recipient device; forwarding, by the recipient device, the request to the fifth device; sending, by the fifth device, the reference to the recipient device; forwarding, by the recipient device, the reference to the sender device; sending, by the sender device, the reference to the fourth device; verifying, by the fourth device, the reference, and sending, by the fourth device, the verified reference to the sender device; creating, by the sender device, a first public encryption key for use in establishing communications from the sender device to the receiver device; encrypting, by the sender device, the reference using the first public encryption key; encrypting, by the sender device, the first public encryption key using an additional public encryption key; sending, by the sender device, the encrypted reference and the encrypted first public encryption key to the receiver device; sending, by the recipient device via the fifth device, the encrypted first public encryption key to the fourth device; decrypting the encrypted first public encryption key by the fourth device; sending, by the fourth device via the fifth device, the decrypted first public encryption key to the recipient device; decrypting the encrypted reference by the recipient device; and The decrypted reference is verified by the recipient device. 4. A method performed by a sender device to achieve authentication, the method comprising: creating an identity of the sender device; sending a request to a recipient device related to establishing a relationship between said sender device and said recipient device; receiving at least an identification of a second master device from the recipient device; sending the identification of the second master device to the first master device Wherein the first master device sends to the second master device a request related to the communication conditions required by the sender device for establishing communication between the sender device and the receiver device, and the second master The device sends the communication condition to the first master device, and when the sending device meets the communication condition, the method further includes: An access key is provided to the first master device. 5. The method of claim 4, wherein the request related to establishing the relationship between the sender device and the recipient device includes an identification of at least a first group of devices, the method further comprising : receiving at least an identification of a second group of devices from the recipient device; In case there is at least one common third device in the first device group and the second device group: sending a request related to requesting a reference from said at least a third device with respect to said recipient device; receiving the reference from the recipient device; creating a first public encryption key for establishing communication from said sender device to said receiver device; encrypting the reference using the first public encryption key; encrypting said first public encryption key using an additional public encryption key; and The encrypted reference and the encrypted first public encryption key are sent to the recipient device. 6. The method of claim 5, wherein the sender device is associated with a fourth device, the recipient device is associated with a fifth device, and the fourth device is associated with the fifth device and wherein, in the absence of at least one common third device in the first device group and the second device group, the method further includes: sending a request related to requesting a reference from the fourth device with respect to the recipient device; wherein the request is forwarded from the fourth device to the fifth device; receiving a valid version of the reference from the fourth device; creating a first public encryption key for establishing communication from said sender device to said receiver device; encrypting the reference using the first public encryption key; encrypting said first public encryption key using an additional public encryption key; and The encrypted reference and the encrypted first public encryption key are sent to the recipient device. 7. The method of claim 5, wherein the reference includes a serial number, and the reference is related to the identification of the recipient device performed by the third device, and the reference is related to the associated with the above sender device. 8. A method according to claim 5, wherein the first public encryption key is arranged to be used by the sender device in future communications from the sender device to the recipient device. 9. The method of claim 5, further comprising: creating an additional public encryption key for establishing communication from the sender device to the second recipient device, wherein the additional public encryption key is identical to the The first public encryption key is different. 10. The method of claim 5, further comprising: sending said request related to establishing said relationship between said sender device and said receiver device to a first secondary device; sending said request related to requesting said reference from said at least a third device with respect to said recipient device to said first secondary device; and The encrypted reference and the encrypted first public encryption key are sent to the first accessory device. 11. The method of claim 5, wherein, said request relating to establishing said relationship between said sender device and said recipient device, said request relating to requesting said reference to said recipient device from said at least a third device, And the encrypted reference and the encrypted first public encryption key also include a digital signature, and the digital signature is associated with the sending device. 12. The method of claim 5, wherein the recipient device and the third device are the same device. 13. A method performed by a recipient device to effectuate authentication, the method comprising: creating an identity of said recipient device; receiving a request from a sender device related to establishing a relationship between the recipient device and the sender device; sending at least the identity of the second master device to the sender device; Wherein the sender device sends the identity of the second master device to the first master device, and the first master device sends to the second master device the identity of the sender device to make the sender device A request related to the communication conditions required by the receiver device to establish communication, the second master device sends the communication conditions to the first master device, and when the sender device satisfies the communication conditions , the method also includes: An access key is provided to the second master device. 14. The method of claim 13, wherein the request related to requesting the recipient device to establish the relationship between the sender device and the recipient device includes at least a first group of devices. identification, the method also includes: sending at least an identification of a second device group to the sender device; In case there is at least one common third device in the first device group and the second device group: sending a request related to requesting a reference from said at least a third device with respect to said recipient device; sending the reference to the sender device; receiving, by the recipient device, the encrypted reference and the encrypted first public encryption key; sending the encrypted first public encryption key to the at least one third device; receiving the decrypted first public encryption key; decrypt encrypted references; and Verify the decrypted reference. 15. The method of claim 14, wherein the sender device is associated with a fourth device, the recipient device is associated with a fifth device, and the fourth device is associated with the fifth device and, in the case where at least one common third device does not exist in the first device group and the second device group, the method further includes: sending a request related to requesting a reference from the fifth device with respect to the recipient device; wherein the request is forwarded from the fourth device to the fifth device; sending the reference to the fifth device; receiving the encrypted reference and the encrypted first public encryption key; sending the encrypted first public encryption key to the fourth device via the fifth device; receiving the decrypted first public encryption key; decrypt encrypted references; and Verify the decrypted reference. 16. A communication device comprising circuitry configured to perform the method of claim 15.